JS: add mongodb .connect tests

Author: esbena

javascript/ql/test/query-tests/Security/CWE-089/untyped/dbo.js

@@ -0,0 +1,13 @@
+let dbClient = require("mongodb").MongoClient,
+  db = null;
+module.exports = {
+  db: () => {
+    return db;
+  },
+  connect: fn => {
+    dbClient.connect(process.env.DB_URL, {}, (err, client) => {
+      db = client.db(process.env.DB_NAME);
+      return fn(err);
+    });
+  }
+};

javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js

@@ -65,3 +65,22 @@ app.post('/documents/find', (req, res) => {
 		doc.find(query);
 	});
 });
+
+app.post("/logs/count-by-tag", (req, res) => {
+  let tag = req.query.tag;
+
+  MongoClient.connect(process.env.DB_URL, {}, (err, client) => {
+    client
+      .db(process.env.DB_NAME)
+      .collection("logs")
+      // NOT OK: query is tainted by user-provided object value
+      .count({ tags: tag });
+  });
+
+  let importedDbo = require("./dbo.js");
+  importedDbo
+    .db()
+    .collection("logs")
+    // NOT OK: query is tainted by user-provided object value
+    .count({ tags: tag });
+});